Bug 19295 - Provides bad crypt()-function
Summary: Provides bad crypt()-function
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: openssl
Version: 7.0
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-10-18 01:08 UTC by Enrico Scholz
Modified: 2008-05-01 15:37 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2000-10-18 12:16:08 UTC
Embargoed:


Attachments (Terms of Use)

Description Enrico Scholz 2000-10-18 01:08:05 UTC
libcrypto.0.9.5a contains a crypt()  function providing only the simple DES
encrypting. But libcrypt.so (part of glibc) allows MD5 encryption
supporting larger passwords.

E.g. compiling
------- test.cc ------
#define _XOPEN_SOURCE
#include <unistd.h>
#include <iostream>

int main() {
        std::cout << crypt("ABC", "$1$abcdef$") << std::endl;
}
-------

both with -lcrypt and -lcrypto is giving different output:

# g++ /tmp/crypt.cc -lcrypt && ./a.out 
$1$abcdef$huJsPyysqd.RqgtSA1ccS.

# g++ /tmp/crypt.cc -lcrypto && ./a.out 
$1EA5T9lIorRY



So you can loss the capability to use large passwd's if OpenSSL is linked
to the program (I have seen it with cvs-1.11).

Reason seems to lie in crypto/des/fcrypt.c where crypt() is nested in a
complicated #if-#else clause. Perhaps it's fixed in OpenSSL-0.9.6 but I
have no opportunity to test it now.

Comment 1 Nalin Dahyabhai 2000-10-24 20:28:49 UTC
This will be fixed in openssl-0.9.5a-19 in Raw Hide.  Thanks!


Note You need to log in before you can comment on or make changes to this bug.